Optiv  Threat  Intel 
App  for  Spltink 


Agenda 


Intro 

o 


Architecture  Q&A 


— o o o o 

Threat  Intelligence  Demo/Hunting  Exercise 

Primer 


OPTIV 


2 


About  Your  Presenter 


Derek  Arnold 


• Principal  Consultant  - Optiv 

• 14  years  in  security 

• Focused  on  enterprise  IT 

• Avid  indoorsman 

• Training  for  marathon 

• Three  children  under  nine 


Threat  Intelligence  Primer 


Threat  intelligence:  enterprise  capability 
to  leverage  data,  tools  and  processes 
together  with  human  assets  to  approach 
security  in  a smarter  way. 

• Security  Intelligence  and  Event  Management 
(SIEM)  is  a key  component 

• It  does  not  have  to  be  expensive  or  complicated 

• https://www.optiv.com/blog/accessible-threat- 
intelliqence 

• https://www.optiv.com/blog/the-business-case- 
for-an-intelliaence-driven-securitv-proaram 
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Splunk  Apps 


• Splunk  can  be  used  as  an  advanced  correlation 
tool  for  your  machine  data 

• Other  Splunk  apps  required  hardware  appliances, 
premium  API  keys  or  advanced  configuration 

• Nothing  was  hitting  the  mark,  so  I built  a new  one 

• The  goal  of  the  app  is  to  provide  accessible  threat 
intelligence  in  a curated  setting,  with  little  to  no 
need  for  configuration  or  search  language 
knowledge 

• In  five  minutes  or  less,  one  can  download  and 
install  the  free  app  and  start  collecting  and 
correlating  actionable  threat  intelligence  with  their 
organization’s  machine  data 

• https://splunkbase.splunk.com/app/2837/ 
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Optiv  Threat  Intel 


O ADMINISTRATOR  TOOLS:  Manage  App  I View  App  I View  Analytics 


:=  OVERVIEW  Q DOCUMENTATION 

Overview: 

Optiv  Threat  Intel  Is  a Splunk  App  that  automatically  correlates  your  data  with  several  popular 
open  threat  lists.  After  a few  mouse  clicks  we  can  start  hunting  for  log  sources  that  are 
reaching  out  to,  or  being  attacked  from,  known  attackers.  The  app  can  provide  increased 
visibility  to  potentially  malicious  activity  going  on  In  the  organization. 

Features: 

* Threat  list  visualization  that  shows  where  most  of  the  attackers  are  located  on  a globe. 

* Easily  choose  indexes,  sourcetypes,  or  hosts  for  log  entries  that  match  threat  list  destination 
IPs,  URLs  and  domains. 

* Email  alerting  feature  to  notify  you  of  a threat  list  match  that  is  correlated  against  your 
organization's  machine  data. 

* IP  search  feature  that  displays  threat  list  activity. 

* Domain  search  feature  that  displays  threat  list  activity. 

* RSS  feed  which  will  poll  several  information  security  news  sites  and  consolidate  the  stories 
on  one  page. 


★ ★ ★ ★ ★ 1 ratings 

Rate  this  app 

A 931  downloads 

- Unsubscribe 
6?  Share  this  app 


VERSION  3.00 

^ Security  and  Compliance 
^ Splunk  Enterprise 
ID  App 

> Splunk  6.4, 6.3 
<h  CIM  4.4, 4.3 

li  GNU  General  Public  License  v3 

O Platform  Independent 


COMMUNITY  SUPPORTED 
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Demo  / Hunting  Exercise 


Opt  iv  Threat  intei  Splash 

Thi-i'-irLiiCf.Hlils 


48,722  * 9,990  * 18,832  ft 


eifln-tun  A OS! NTT 


121  .a  215.* 


1 65  .a 


OPTIV 


8 


Questions 

Derek.Arnold@optiv.com 
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